Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. The CVE Board
provides oversight and input into CVE's strategic direction, ensuring CVE meets the
vulnerability identification needs of the technology community. CVE Numbering
Authorities (CNAs) are major OS vendors, security researchers, and research
organizations that assign CVE Identifiers (CVE IDs) to newly discovered issues without
directly involving MITRE in the details of the specific vulnerabilities, and include the
CVE IDs in the first public disclosure of the vulnerabilities. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please feel free to pass
this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/December 21, 2016
-------------------------------------------------------
Contents:
1. OpenSSL Software Foundation Added as CVE Numbering Authority (CNA)
2. New CVE Board Member from JPCERT/CC
3. 1 Product from Cronus Cyber Technologies Now Registered as Officially
"CVE-Compatible"
4. New CVE Blog Post: "What's your opinion on updating CVE ID Descriptions?"
5. Also in this Issue
6. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
OpenSSL Software Foundation Added as CVE Numbering Authority (CNA)
OpenSSL Software Foundation is now a CVE Numbering Authority (CNA). CNAs are OS and
product vendors, developers, security researchers, and research organizations that
assign CVE IDs to newly discovered issues without directly involving MITRE in the
details of the specific vulnerabilities, and include the CVE ID numbers in the first
public disclosure of the vulnerabilities.
CNAs are the main method for requesting a CVE ID number. The following 41 organizations
currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; CERT/CC; Check
Point; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; F5; Fortinet;
FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT;
Intel; JPCERT/CC; Juniper; Larry Cashdollar; Lenovo; MarkLogic; Micro Focus; Microsoft;
MITRE (primary CNA); Mozilla; Objective Development; OpenSSL; Oracle; Red Hat; Silicon
Graphics; Symantec; Talos; Ubuntu Linux; and Yandex.
For more information about requesting CVE ID numbers from CNAs, visit "Products Covered"
on the CVE website at
https://cve.mitre.org/cve/data_sources_product_coverage.html#products.html.
LINKS:
OpenSSL -
https://www.openssl.org/
CNAs -
https://cve.mitre.org/cve/cna.html
Request a CVE ID from a CNA -
https://cve.mitre.org/cve/data_sources_product_coverage.html#products.html
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#december212016_OpenSSL_Software_Found
ation_Added_as_CVE_Numbering_Authority_CNA
---------------------------------------------------------------
New CVE Board Member from JPCERT/CC
Takayuki Uchiyama of JPCERT Coordination Center (JPCERT/CC) has joined the CVE Board.
Read the full announcement and welcome message in the CVE Board email discussion list
archive at: https://cve.mitre.org/data/board/archives/2016-12/msg00006.html.
LINKS:
JPCERT/CC -
https://www.jpcert.or.jp/
CVE Board -
https://cve.mitre.org/community/board/index.html
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#december152016_New_CVE_Board_Member_f
rom_JPCERT/CC
---------------------------------------------------------------
1 Product from Cronus Cyber Technologies Now Registered as Officially "CVE-Compatible"
One additional cyber security product has achieved the final stage of MITRE's formal CVE
Compatibility Process and is now officially "CVE-Compatible." The product is now
eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed
"CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as
part of the organization's listing on the CVE-Compatible Products and Services page on
the CVE website. A total of 151 products to-date have been recognized as officially
compatible.
* Cronus Cyber Technologies - CyBot Suite
Use of the official CVE-Compatible logo will allow system administrators and other
security professionals to look for the logo when adopting vulnerability management
products and services for their enterprises and the compatibility process questionnaire
will help end-users compare how different products and services satisfy the CVE
compatibility requirements, and therefore which specific implementations are best for
their networks and systems.
For additional information and to review all products and services listed, visit the
CVE-Compatible Products and Services section of the CVE website at
https://cve.mitre.org/compatible/index.html.
LINKS:
Cronus Cyber Technologies -
http://cronus-cyber.com/
CyBot Suite -
https://cve.mitre.org/compatible/questionnaires/171.html
Process -
https://cve.mitre.org/compatible/process.html
Requirements -
https://cve.mitre.org/compatible/requirements.html
Participating Organizations -
https://cve.mitre.org/compatible/organizations.html
Make a Declaration -
https://cve.mitre.org/compatible/make_a_declaration.html
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#december022016_1_Product_from_Cronus_
Cyber_Technologies_Now_Registered_as_Officially_CVE_Compatible
---------------------------------------------------------------
New CVE Blog Post: "What's your opinion on updating CVE ID Descriptions?"
Last month, we asked the CVE community how you used CVE ID Descriptions. This month, we
are following up on that question, asking about another aspect of how CVE ID
Descriptions and their content are used.
Specifically, we would like to hear your thoughts on updating CVE ID Descriptions when
new details about the vulnerability become available.
Please read the full post at
https://cve.mitre.org/blog/index.html#december152016_What's_your_opinion_on_updating_CVE
_ID_Descriptions?, and let us know what you think. We very much look forward to hearing
from you!
LINK:
CVE Blog post -
https://cve.mitre.org/blog/index.html#december152016_What's_your_opinion_on_updating_CVE
_ID_Descriptions?
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* Minutes from CVE Board Teleconference Meeting on November 30 Now Available
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Board and CVE Numbering Authorities on all matters related to
ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
Wednesday, December 21, 2016
Thursday, November 10, 2016
CVE Announce - November 10, 2016 (opt-in newsletter from the CVE website)
Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. The CVE Board
provides oversight and input into CVE's strategic direction, ensuring CVE meets the
vulnerability identification needs of the technology community. CVE Numbering
Authorities (CNAs) are major OS vendors, security researchers, and research
organizations that assign CVE Identifiers (CVE IDs) to newly discovered issues without
directly involving MITRE in the details of the specific vulnerabilities, and include the
CVE IDs in the first public disclosure of the vulnerabilities. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please feel free to pass
this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/November 10, 2016
-------------------------------------------------------
Contents:
1. CVE Launches Community Engagement Blog
2. CVE Adds 13 New CVE Numbering Authorities (CNAs)
3. 2 Products from SAINT Corporation Now Registered as Officially "CVE-Compatible"
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Launches Community Engagement Blog
The CVE Team has launched a "CVE Blog" to establish a dialogue with CVE users and to get
your input on issues and topics that are important to CVE.
Our first post is: "What's your opinion on how Descriptions are used in CVE IDs?"
Please read the post at
https://cve.mitre.org/blog/index.html#november042016_Whats_your_opinion_on_how_Descripti
ons_are_used_in_CVE IDs?, and let us know what you think.
We very much look forward to hearing from you!
LINKS:
CVE Blog -
https://cve.mitre.org/blog
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#november042016_CVE_Launches_Community
_Engagement_Blog
---------------------------------------------------------------
CVE Adds 13 New CVE Numbering Authorities (CNAs)
The following ten software vendors, two vulnerability researchers, and one third-party
coordinator are now CVE Numbering Authorities (CNAs): Brocade Communications Systems,
Inc.; Check Point Software Technologies Ltd.; F5 Networks, Inc.; Fortinet, Inc.; Huawei
Technologies Co., Ltd.; Larry Cashdollar (vulnerability researcher); HackerOne
(third-party coordinator); Lenovo Group Ltd.; MarkLogic Corporation; Nvidia Corporation;
Objective Development Software GmbH; Talos (vulnerability researcher); and Yandex N.V.
CNAs are OS and product vendors, developers, security researchers, and research
organizations that assign CVE IDs to newly discovered issues without directly involving
MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in
the first public disclosure of the vulnerabilities.
CNAs are the main method for requesting a CVE ID number. The following 40 organizations
currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; CERT/CC; Check
Point; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; F5; Fortinet;
FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT;
Intel; JPCERT/CC; Juniper; Larry Cashdollar; Lenovo; MarkLogic; Micro Focus; Microsoft;
MITRE (primary CNA); Mozilla; Objective Development; Oracle; Red Hat; Silicon Graphics;
Symantec; Talos; Ubuntu Linux; and Yandex.
For more information about requesting CVE ID numbers from CNAs, visit the CVE Numbering
Authorities page on the CVE website at
https://cve.mitre.org/cve/cna.html#participating_cnas.
LINKS:
Request a CVE ID from a CNA -
https://cve.mitre.org/cve/cna.html#requesting_cve_ids
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#november012016_CVE_Adds_13_New_CVE_Nu
mbering_Authorities_CNAs
---------------------------------------------------------------
2 Products from SAINT Corporation Now Registered as Officially "CVE-Compatible"
Two additional cybersecurity product have achieved the final stage of MITRE's formal CVE
Compatibility Process and are now officially "CVE-Compatible." The product is now
eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed
"CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as
part of the organization's listing on the CVE-Compatible Products and Services page on
the CVE Web site. A total of 150 products to-date have been recognized as officially
compatible.
The following two products are now registered as officially "CVE-Compatible":
* SAINT Corporation
- SAINT Security Suite
- SAINTCloud
Use of the official CVE-Compatible logo will allow system administrators and other
security professionals to look for the logo when adopting vulnerability management
products and services for their enterprises and the compatibility process questionnaire
will help end-users compare how different products and services satisfy the CVE
compatibility requirements, and therefore which specific implementations are best for
their networks and systems.
For additional information and to review all products and services listed, visit the
CVE-Compatible Products and Services section of the CVE website at
https://cve.mitre.org/compatible/index.html.
LINKS:
SAINT Corporation -
http://www.saintcorporation.com/
SAINT Security Suite -
https://cve.mitre.org/compatible/questionnaires/69.html
SAINT Security Suite -
https://cve.mitre.org/compatible/questionnaires/30.html
Process -
https://cve.mitre.org/compatible/process.html
Requirements -
https://cve.mitre.org/compatible/requirements.html
Participating Organizations -
https://cve.mitre.org/compatible/organizations.html
Make a Declaration -
https://cve.mitre.org/compatible/make_a_declaration.html
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#november042016_2_Products_from_SAINT_
Corporation_Now_Registered_as_Officially_CVE_Compatible
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* Minutes from CVE Editorial Board Teleconference Meeting on October 19 Now Available
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Board and CVE Numbering Authorities on all matters related to
ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. The CVE Board
provides oversight and input into CVE's strategic direction, ensuring CVE meets the
vulnerability identification needs of the technology community. CVE Numbering
Authorities (CNAs) are major OS vendors, security researchers, and research
organizations that assign CVE Identifiers (CVE IDs) to newly discovered issues without
directly involving MITRE in the details of the specific vulnerabilities, and include the
CVE IDs in the first public disclosure of the vulnerabilities. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please feel free to pass
this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/November 10, 2016
-------------------------------------------------------
Contents:
1. CVE Launches Community Engagement Blog
2. CVE Adds 13 New CVE Numbering Authorities (CNAs)
3. 2 Products from SAINT Corporation Now Registered as Officially "CVE-Compatible"
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Launches Community Engagement Blog
The CVE Team has launched a "CVE Blog" to establish a dialogue with CVE users and to get
your input on issues and topics that are important to CVE.
Our first post is: "What's your opinion on how Descriptions are used in CVE IDs?"
Please read the post at
https://cve.mitre.org/blog/index.html#november042016_Whats_your_opinion_on_how_Descripti
ons_are_used_in_CVE IDs?, and let us know what you think.
We very much look forward to hearing from you!
LINKS:
CVE Blog -
https://cve.mitre.org/blog
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#november042016_CVE_Launches_Community
_Engagement_Blog
---------------------------------------------------------------
CVE Adds 13 New CVE Numbering Authorities (CNAs)
The following ten software vendors, two vulnerability researchers, and one third-party
coordinator are now CVE Numbering Authorities (CNAs): Brocade Communications Systems,
Inc.; Check Point Software Technologies Ltd.; F5 Networks, Inc.; Fortinet, Inc.; Huawei
Technologies Co., Ltd.; Larry Cashdollar (vulnerability researcher); HackerOne
(third-party coordinator); Lenovo Group Ltd.; MarkLogic Corporation; Nvidia Corporation;
Objective Development Software GmbH; Talos (vulnerability researcher); and Yandex N.V.
CNAs are OS and product vendors, developers, security researchers, and research
organizations that assign CVE IDs to newly discovered issues without directly involving
MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in
the first public disclosure of the vulnerabilities.
CNAs are the main method for requesting a CVE ID number. The following 40 organizations
currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; CERT/CC; Check
Point; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; F5; Fortinet;
FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT;
Intel; JPCERT/CC; Juniper; Larry Cashdollar; Lenovo; MarkLogic; Micro Focus; Microsoft;
MITRE (primary CNA); Mozilla; Objective Development; Oracle; Red Hat; Silicon Graphics;
Symantec; Talos; Ubuntu Linux; and Yandex.
For more information about requesting CVE ID numbers from CNAs, visit the CVE Numbering
Authorities page on the CVE website at
https://cve.mitre.org/cve/cna.html#participating_cnas.
LINKS:
Request a CVE ID from a CNA -
https://cve.mitre.org/cve/cna.html#requesting_cve_ids
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#november012016_CVE_Adds_13_New_CVE_Nu
mbering_Authorities_CNAs
---------------------------------------------------------------
2 Products from SAINT Corporation Now Registered as Officially "CVE-Compatible"
Two additional cybersecurity product have achieved the final stage of MITRE's formal CVE
Compatibility Process and are now officially "CVE-Compatible." The product is now
eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed
"CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as
part of the organization's listing on the CVE-Compatible Products and Services page on
the CVE Web site. A total of 150 products to-date have been recognized as officially
compatible.
The following two products are now registered as officially "CVE-Compatible":
* SAINT Corporation
- SAINT Security Suite
- SAINTCloud
Use of the official CVE-Compatible logo will allow system administrators and other
security professionals to look for the logo when adopting vulnerability management
products and services for their enterprises and the compatibility process questionnaire
will help end-users compare how different products and services satisfy the CVE
compatibility requirements, and therefore which specific implementations are best for
their networks and systems.
For additional information and to review all products and services listed, visit the
CVE-Compatible Products and Services section of the CVE website at
https://cve.mitre.org/compatible/index.html.
LINKS:
SAINT Corporation -
http://www.saintcorporation.com/
SAINT Security Suite -
https://cve.mitre.org/compatible/questionnaires/69.html
SAINT Security Suite -
https://cve.mitre.org/compatible/questionnaires/30.html
Process -
https://cve.mitre.org/compatible/process.html
Requirements -
https://cve.mitre.org/compatible/requirements.html
Participating Organizations -
https://cve.mitre.org/compatible/organizations.html
Make a Declaration -
https://cve.mitre.org/compatible/make_a_declaration.html
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#november042016_2_Products_from_SAINT_
Corporation_Now_Registered_as_Officially_CVE_Compatible
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* Minutes from CVE Editorial Board Teleconference Meeting on October 19 Now Available
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Board and CVE Numbering Authorities on all matters related to
ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
Wednesday, October 26, 2016
CVE Announce - October 26, 2016 (opt-in newsletter from the CVE website)
Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. The CVE Board
provides oversight and input into CVE's strategic direction, ensuring CVE meets the
vulnerability identification needs of the technology community. CVE Numbering
Authorities (CNAs) are major OS vendors, security researchers, and research
organizations that assign CVE Identifiers (CVE IDs) to newly discovered issues without
directly involving MITRE in the details of the specific vulnerabilities, and include the
CVE IDs in the first public disclosure of the vulnerabilities. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please feel free to pass
this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/October 26, 2016
-------------------------------------------------------
Contents:
1. Huawei Technologies Makes Two Declarations of CVE Compatibility
2. Minutes from CVE Board Teleconference Meeting on October 5 Now Available
3. CVE Privacy Policy Updated
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Huawei Technologies Makes Two Declarations of CVE Compatibility
Huawei Technologies Co., Ltd. declared that its firewall and application security
gateway products, Huawei Next Generation Firewall Eudemon 200E-N/1000E-N/8000E-X Series
and Huawei Next Generation Firewall USG6000/9000 Series, are CVE-Compatible.
For additional information and to review all products and services listed, visit the
CVE-Compatible Products and Services section of the CVE website at
https://cve.mitre.org/compatible/index.html.
LINKS:
Huawei Technologies -
http://www.huawei.com/
Process -
https://cve.mitre.org/compatible/process.html
Requirements -
https://cve.mitre.org/compatible/requirements.html
Participating Organizations -
https://cve.mitre.org/compatible/organizations.html
Make a Declaration -
https://cve.mitre.org/compatible/make_a_declaration.html
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#october202016_Huawei_Technologies_Mak
es_Two_Declarations_of_CVE_Compatibility
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on October 5 Now Available
The CVE Editorial Board held a teleconference meeting on October 5, 2016. Read the
meeting minutes at hhttps://cve.mitre.org/data/board/archives/2016-10/msg00042.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#october202016_Minutes_from_CVE_Board_
Teleconference_Meeting_on_October_5_Now_Available
---------------------------------------------------------------
CVE Privacy Policy Updated
The CVE Privacy Policy was updated to include the new CVE Request web form.
LINKS:
CVE Privacy Policy -
https://cve.mitre.org/about/privacy_policy.html
CVE Request Web Form -
https://cveform.mitre.org/
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#october202016_CVE_Privacy_Policy_Upda
ted
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Oracle's Quarterly Critical Patch Update for 253
Vulnerabilities on PCWorld
* CVE Mentioned in Article about Microsoft Patching Five Zero-Day Vulnerabilities on
Threatpost
* CVE Mentioned in Article about Three Severe Vulnerabilities in Insulin Pumps on ZDNet
* CVE Mentioned in Article about a Critical Vulnerability in Email Security Appliances
on Threatpost
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Board and CVE Numbering Authorities on all matters related to
ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. The CVE Board
provides oversight and input into CVE's strategic direction, ensuring CVE meets the
vulnerability identification needs of the technology community. CVE Numbering
Authorities (CNAs) are major OS vendors, security researchers, and research
organizations that assign CVE Identifiers (CVE IDs) to newly discovered issues without
directly involving MITRE in the details of the specific vulnerabilities, and include the
CVE IDs in the first public disclosure of the vulnerabilities. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please feel free to pass
this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/October 26, 2016
-------------------------------------------------------
Contents:
1. Huawei Technologies Makes Two Declarations of CVE Compatibility
2. Minutes from CVE Board Teleconference Meeting on October 5 Now Available
3. CVE Privacy Policy Updated
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Huawei Technologies Makes Two Declarations of CVE Compatibility
Huawei Technologies Co., Ltd. declared that its firewall and application security
gateway products, Huawei Next Generation Firewall Eudemon 200E-N/1000E-N/8000E-X Series
and Huawei Next Generation Firewall USG6000/9000 Series, are CVE-Compatible.
For additional information and to review all products and services listed, visit the
CVE-Compatible Products and Services section of the CVE website at
https://cve.mitre.org/compatible/index.html.
LINKS:
Huawei Technologies -
http://www.huawei.com/
Process -
https://cve.mitre.org/compatible/process.html
Requirements -
https://cve.mitre.org/compatible/requirements.html
Participating Organizations -
https://cve.mitre.org/compatible/organizations.html
Make a Declaration -
https://cve.mitre.org/compatible/make_a_declaration.html
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#october202016_Huawei_Technologies_Mak
es_Two_Declarations_of_CVE_Compatibility
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on October 5 Now Available
The CVE Editorial Board held a teleconference meeting on October 5, 2016. Read the
meeting minutes at hhttps://cve.mitre.org/data/board/archives/2016-10/msg00042.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#october202016_Minutes_from_CVE_Board_
Teleconference_Meeting_on_October_5_Now_Available
---------------------------------------------------------------
CVE Privacy Policy Updated
The CVE Privacy Policy was updated to include the new CVE Request web form.
LINKS:
CVE Privacy Policy -
https://cve.mitre.org/about/privacy_policy.html
CVE Request Web Form -
https://cveform.mitre.org/
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#october202016_CVE_Privacy_Policy_Upda
ted
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Oracle's Quarterly Critical Patch Update for 253
Vulnerabilities on PCWorld
* CVE Mentioned in Article about Microsoft Patching Five Zero-Day Vulnerabilities on
Threatpost
* CVE Mentioned in Article about Three Severe Vulnerabilities in Insulin Pumps on ZDNet
* CVE Mentioned in Article about a Critical Vulnerability in Email Security Appliances
on Threatpost
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Board and CVE Numbering Authorities on all matters related to
ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
Monday, September 26, 2016
CVE Announce - September 26, 2016 (opt-in newsletter from the CVE Web site)
Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. The CVE Board
provides oversight and input into CVE's strategic direction, ensuring CVE meets the
vulnerability identification needs of the technology community. CVE Numbering
Authorities (CNAs) are major OS vendors, security researchers, and research
organizations that assign CVE Identifiers (CVE IDs) to newly discovered issues without
directly involving MITRE in the details of the specific vulnerabilities, and include the
CVE IDs in the first public disclosure of the vulnerabilities. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please feel free to pass
this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/September 26, 2016
-------------------------------------------------------
Contents:
1. CVE Refreshes Website with New Look and Feel and Easier-to-Use Navigation Menus
2. New CVE Board Charter Is Approved
3. Minutes from CVE Board Teleconference Meeting on August 25 Now Available
4. Apache Software Foundation and Intel Corporation Added as CVE Numbering Authorities
(CNAs)
5. Also in this Issue
6. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Refreshes Website with New Look and Feel and Easier-to-Use Navigation Menus
We have updated the CVE website to streamline site navigation for an improved user
experience. The main navigation menu is now located in an easy-to-access menu bar at the
top of every page, and expanded Section Contents menus for each section of the website
are on the left of each interior page.
The homepage has also been refreshed and now includes quick-access links to the most
frequently requested information about CVE including requesting CVE IDs, updating
information in CVE IDs, access to the various CVE List downloads, and where to find data
feeds of CVE content.
The website is now organized into these main sections:
* CVE IDs - visit to search, download, or view the CVE List; request CVE IDs; update
information in CVE IDs; and to view other supporting information and documentation about
CVE IDs and the CVE List
* About CVE - visit for an overview of the CVE effort, answers to FAQs, and our
documents archive
* Compatible Products & More - visit to see the numerous products and services that use,
or are built upon, CVE IDs
* Community - visit to learn more about CVE Numbering Authorities (CNAs); the CVE Board
including links to meeting summaries and a discussion archive; the CVE Sponsor; and
other community members
* News - visit for the latest CVE news, and to sign-up for our free e-newsletter
* Site Search - visit to search this website, for links to other searches including the
CVE List and the enhanced CVE content search in the U.S. National Vulnerability
Database, and for access to our site map
Additional updates will be coming soon, so please check back frequently.
Please send any comments or concerns to cve@mitre.org.
LINKS:
CVE website -
https://cve.mitre.org/
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#september132016_CVE_Refreshes_Website
_with_New_Look_and_Feel_and_Easier_to_Use_Navigation_Menus
---------------------------------------------------------------
New CVE Board Charter Is Approved
We are pleased to announce that the CVE Board has approved the latest version of the
"CVE Board Charter," which includes several important updates to membership, board
member roles and responsibilities, as well as a number of policy and procedure changes.
This update was the result of many hours of hard work by the Board, and the resulting
document better positions CVE for success as it expands its reach to other sectors.
LINKS:
CVE Board Charter -
https://cve.mitre.org/community/board/charter.html
CVE Board Current Members -
https://cve.mitre.org/community/board/index.html
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#september132016_New_CVE_Board_Charter
_Is_Approved
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on August 25 Now Available
The CVE Editorial Board held a teleconference meeting on August 25, 2016. Read the
meeting minutes at https://cve.mitre.org/data/board/archives/2016-09/msg00004.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#september202016_Minutes_from_CVE_Boar
d_Teleconference_Meeting_on_August_25_Now_Available
---------------------------------------------------------------
Apache Software Foundation and Intel Corporation Added as CVE Numbering Authorities
(CNAs)
Intel Corporation and Apache Software Foundation are now CVE Numbering Authorities
(CNAs). CNAs are OS and product vendors, developers, security researchers, and research
organizations that assign CVE IDs to newly discovered issues without directly involving
MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the
first public disclosure of the vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 27 organizations
currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; CERT/CC; Cisco; Debian
GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; Hewlett
Packard Enterprise; IBM; ICS-CERT; Intel; JPCERT/CC; Juniper; Micro Focus; Microsoft;
MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu
Linux.
For more information about requesting CVE IDs from CNAs, visit the CVE Numbering
Authorities page on the CVE website.
LINKS:
Apache -
https://www.apache.org/
Intel -
http://www.intel.com/
CNAs -
https://cve.mitre.org/cve/cna.html
CVE IDs -
https://cve.mitre.org/cve/identifiers/index.html
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#august192016_Apache_Software_Foundati
on_and_Intel_Corporation_Added_as_CVE_Numbering_Authority_CNA
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about a Zero-Day MySQL Vulnerability on ZDNet
* CVE Mentioned in Article about a Severe WebEx Vulnerability on The Register
* CVE IDs Assigned for Public Vulnerabilities Related to "The Shadow Brokers"
Disclosures
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Board and CVE Numbering Authorities on all matters related to
ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. The CVE Board
provides oversight and input into CVE's strategic direction, ensuring CVE meets the
vulnerability identification needs of the technology community. CVE Numbering
Authorities (CNAs) are major OS vendors, security researchers, and research
organizations that assign CVE Identifiers (CVE IDs) to newly discovered issues without
directly involving MITRE in the details of the specific vulnerabilities, and include the
CVE IDs in the first public disclosure of the vulnerabilities. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please feel free to pass
this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/September 26, 2016
-------------------------------------------------------
Contents:
1. CVE Refreshes Website with New Look and Feel and Easier-to-Use Navigation Menus
2. New CVE Board Charter Is Approved
3. Minutes from CVE Board Teleconference Meeting on August 25 Now Available
4. Apache Software Foundation and Intel Corporation Added as CVE Numbering Authorities
(CNAs)
5. Also in this Issue
6. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Refreshes Website with New Look and Feel and Easier-to-Use Navigation Menus
We have updated the CVE website to streamline site navigation for an improved user
experience. The main navigation menu is now located in an easy-to-access menu bar at the
top of every page, and expanded Section Contents menus for each section of the website
are on the left of each interior page.
The homepage has also been refreshed and now includes quick-access links to the most
frequently requested information about CVE including requesting CVE IDs, updating
information in CVE IDs, access to the various CVE List downloads, and where to find data
feeds of CVE content.
The website is now organized into these main sections:
* CVE IDs - visit to search, download, or view the CVE List; request CVE IDs; update
information in CVE IDs; and to view other supporting information and documentation about
CVE IDs and the CVE List
* About CVE - visit for an overview of the CVE effort, answers to FAQs, and our
documents archive
* Compatible Products & More - visit to see the numerous products and services that use,
or are built upon, CVE IDs
* Community - visit to learn more about CVE Numbering Authorities (CNAs); the CVE Board
including links to meeting summaries and a discussion archive; the CVE Sponsor; and
other community members
* News - visit for the latest CVE news, and to sign-up for our free e-newsletter
* Site Search - visit to search this website, for links to other searches including the
CVE List and the enhanced CVE content search in the U.S. National Vulnerability
Database, and for access to our site map
Additional updates will be coming soon, so please check back frequently.
Please send any comments or concerns to cve@mitre.org.
LINKS:
CVE website -
https://cve.mitre.org/
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#september132016_CVE_Refreshes_Website
_with_New_Look_and_Feel_and_Easier_to_Use_Navigation_Menus
---------------------------------------------------------------
New CVE Board Charter Is Approved
We are pleased to announce that the CVE Board has approved the latest version of the
"CVE Board Charter," which includes several important updates to membership, board
member roles and responsibilities, as well as a number of policy and procedure changes.
This update was the result of many hours of hard work by the Board, and the resulting
document better positions CVE for success as it expands its reach to other sectors.
LINKS:
CVE Board Charter -
https://cve.mitre.org/community/board/charter.html
CVE Board Current Members -
https://cve.mitre.org/community/board/index.html
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#september132016_New_CVE_Board_Charter
_Is_Approved
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on August 25 Now Available
The CVE Editorial Board held a teleconference meeting on August 25, 2016. Read the
meeting minutes at https://cve.mitre.org/data/board/archives/2016-09/msg00004.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#september202016_Minutes_from_CVE_Boar
d_Teleconference_Meeting_on_August_25_Now_Available
---------------------------------------------------------------
Apache Software Foundation and Intel Corporation Added as CVE Numbering Authorities
(CNAs)
Intel Corporation and Apache Software Foundation are now CVE Numbering Authorities
(CNAs). CNAs are OS and product vendors, developers, security researchers, and research
organizations that assign CVE IDs to newly discovered issues without directly involving
MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the
first public disclosure of the vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 27 organizations
currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; CERT/CC; Cisco; Debian
GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; Hewlett
Packard Enterprise; IBM; ICS-CERT; Intel; JPCERT/CC; Juniper; Micro Focus; Microsoft;
MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu
Linux.
For more information about requesting CVE IDs from CNAs, visit the CVE Numbering
Authorities page on the CVE website.
LINKS:
Apache -
https://www.apache.org/
Intel -
http://www.intel.com/
CNAs -
https://cve.mitre.org/cve/cna.html
CVE IDs -
https://cve.mitre.org/cve/identifiers/index.html
CVE News page article -
https://cve.mitre.org/news/archives/2016/news.html#august192016_Apache_Software_Foundati
on_and_Intel_Corporation_Added_as_CVE_Numbering_Authority_CNA
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about a Zero-Day MySQL Vulnerability on ZDNet
* CVE Mentioned in Article about a Severe WebEx Vulnerability on The Register
* CVE IDs Assigned for Public Vulnerabilities Related to "The Shadow Brokers"
Disclosures
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Board and CVE Numbering Authorities on all matters related to
ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
Monday, August 29, 2016
New Method to Request CVE IDs, Updates, and More from MITRE in Effect
Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about Common Vulnerabilities and Exposures (CVE), such as new compatible products, new website features, CVE in the news, etc. right to your email box. CVE is the standard for cyber security vulnerability names. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the technology community. CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE Identifiers to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE Identifiers in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/August 29, 2016
-------------------------------------------------------
Contents:
1. New Method to Request CVE IDs, Updates, and More from MITRE in Effect
2. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
New Method to Request CVE IDs, Updates, and More from MITRE in Effect
Beginning August 29, 2016, anyone requesting a CVE ID from MITRE, requesting an update to a CVE, providing notification about a vulnerability publication, or submitting comments will do so by submitting a “CVE Request” web form. The previous method of submitting requests via email has been discontinued.
The new web form will make it easier for requestors to know what information to include in their initial request, and will enhance MITRE's ability to respond to those requests in a timely manner. User guidance is available on the website and on the form itself. Upon completion of the form, the requestor will receive an immediate web acknowledgement that their form was submitted successfully, and an email confirmation which will include a reference number.
Organizations participating as CNAs assign CVE IDs for their products, and continue to be the first method requesters should use to request a CVE ID when a potential vulnerability is related to a CNA product. Requesters may also contact an emergency response or vulnerability analysis team, such as CERT/CC, or post the information to mailing lists such as BugTraq or oss-security. See https://cve.mitre.org/cve/cna.html for further information.
Feedback can be submitted through the web form or through cve@mitre.org.
LINKS:
CVE ID Request web form -
CVE Request web form guidance -
http://cve.mitre.org/about/documents.html#web_form
Request a CVE ID intro page -
https://cve.mitre.org/cve/request_id.html
CVE IDs –
CVE News page article –
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge.
The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of the CVE Program.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send an email to cve@mitre.org.
Tuesday, August 23, 2016
Method to Request CVE IDs from MITRE Changing Soon
Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about Common Vulnerabilities and Exposures (CVE), such as new compatible products, new website features, CVE in the news, etc. right to your email box. CVE is the standard for cyber security vulnerability names. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the technology community. CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE Identifiers (IDs) to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/August 23, 2016
-------------------------------------------------------
Contents:
1. IMPORTANT NOTICE: Method to Request CVE IDs from MITRE Changing Soon
2. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
IMPORTANT NOTICE: Method to Request CVE IDs from MITRE Changing Soon
The method to request CVE IDs from MITRE will change on August 29, 2016. Using the new method, CVE ID requestors will complete a “CVE Request” web form when requesting a CVE ID from MITRE. The previous practice of submitting requests via email will be discontinued.
The new web form will make it easier for requestors to know what information to include in their initial request, and will enhance MITRE's ability to respond to those requests in a timely manner. User instructions will be available on the website and on the form itself. Upon completion of the form, the requestor will receive a confirmation message that the request was received and a reference number.
Please send any comments or concerns to cve@mitre.org.
LINKS:
Request a CVE ID -
https://cve.mitre.org/cve/request_id.html
CVE IDs –
https://cve.mitre.org/cve
CVE News page article –
https://cve.mitre.org/news/index.html#august232016_IMPORTANT_NOTICE_Method_to_Request_CVE_IDs_From_MITRE_Changing_Soon
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge.
The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of the CVE Program.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send an email to cve@mitre.org.
Thursday, August 4, 2016
CVE Announce - August 4, 2016 (opt-in newsletter from the CVE Web site)
Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the cybersecurity community. CVE Numbering Authorities (CNAs) are major OS vendors,
security researchers, and research organizations that assign CVE Identifiers to newly
discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/August 4, 2016
-------------------------------------------------------
Contents:
1. CVE Mentioned in Article about Unpatched Vulnerabilities in Smart Lightbulbs on
ThreatPost
2. CVE Mentioned in Article about Apple Patching OS X and iOS Vulnerabilities that Could
Allow Remote Execution via Image Files on ZDNet
3. Minutes from CVE Editorial Board Teleconference Meeting on July 14 Now Available
4. CVE Mentioned in Article about High Percentage of Vulnerabilities Found Unpatched in
Industrial Control Systems (ICS) on Softpedia
5. Also in this Issue
6. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Mentioned in Article about Unpatched Vulnerabilities in Smart Lightbulbs on
ThreatPost
CVE is mentioned in a July 26, 2016 article entitled "Unpatched Smart Lighting Flaws
Pose IoT Risk to Businesses" on ThreatPost.
The main topic of the article is that several "web-based vulnerabilities in Osram
Lightify smart lighting products remain unpatched, despite private notification to the
vendor in late May and CVEs assigned to the issues in June by CERT/CC. Researchers at
Rapid7 today publicly disclosed some of the details on each of the nine vulnerabilities
with temporary mitigation advice users can deploy until a fix is available."
CVE is mentioned when the author states: "Osram Lightify products are indoor and outdoor
lighting products that can be managed over the web or through a mobile application. The
products are used commercially and in homes, and the vulnerabilities are just the latest
to affect connected devices." ". a weak default WPA2 pre-shared key on the Pro solution
(CVE-2016-5056) is the most critical of the nine flaws. The keys use only eight
characters from a limited set of numerals and letters, making it possible to capture a
WPA2 authentication handshake and crack the PSK offline in fewer than six hours."
In addition, CERT/CC is a CVE Numbering Authority (CNA). CNAs are major OS vendors,
security researchers, and research organizations that assign CVE IDs to newly discovered
issues without directly involving MITRE in the details of the specific vulnerabilities,
and include the CVE ID numbers in the first public disclosure of the vulnerabilities.
Visit the CVE Identifier page for CVE-2016-5056 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5056 to learn more about this
issue.
LINKS:
Threatpost article -
https://threatpost.com/unpatched-smart-lighting-flaws-pose-iot-risk-to-businesses/119479
/
CVE IDs -
https://cve.mitre.org/cve
CNAs -
https://cve.mitre.org/cve/cna.html
CVE News page article -
https://cve.mitre.org/news/index.html#august022016_CVE_Mentioned_in_Article_about_Unpatc
hed_Vulnerabilities_in_Smart_Lightbulbs_on_ThreatPost
---------------------------------------------------------------
CVE Mentioned in Article about Apple Patching OS X and iOS Vulnerabilities that Could
Allow Remote Execution via Image Files on ZDNet
CVE is mentioned in a July 22, 2016 article entitled "iOS, Mac vulnerabilities allow
remote code execution through a single image" on ZDNet. The main topic of the article is
that "Security flaws which affect both Apple iOS and Mac devices permit attackers to
grab your passwords and data, researchers claim. . a set of five vulnerabilities, if
exploited, could lead to data theft and remote code execution -- which in its worst
state may result in device hijacking."
CVE is mentioned when the author states: "The set of bugs, CVE-2016-4631, CVE-2016-4629,
CVE-2016-4630, CVE-2016-1850, and CVE-2016-4637, are all caused by how Apple processes
image formats. Apple offers APIs as interfaces for accessing image data, and . there are
five remote code execution flaws related to this system. The image files which place Mac
and iOS users at risk are .tiff, often used in publishing, OpenEXR, Digital Asset
Exchange file format XML files, and BMP images." "The malware avoids detection due to
the processing weaknesses, and if exploited, this leads to a heap buffer flow issue
which extends to remote code execution."
In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE IDs for Apple
issues. CNAs are major OS vendors, security researchers, and research organizations that
assign CVE IDs to newly discovered issues without directly involving MITRE in the
details of the specific vulnerabilities, and include the CVE ID numbers in the first
public disclosure of the vulnerabilities.
Visit the CVE Identifier pages for CVE-2016-4631 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4631; CVE-2016-4629 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4629; CVE-2016-4630 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4630; CVE-2016-1850 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1850; and CVE-2016-4637 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4637 to learn more about these
issues.
LINKS:
ZDNet article -
http://www.zdnet.com/article/ios-mac-flaw-exposes-your-password-with-one-image-file/
CVE IDs -
https://cve.mitre.org/cve
CNAs -
https://cve.mitre.org/cve/cna.html
CVE News page article -
https://cve.mitre.org/news/index.html#august022016_CVE_Mentioned_in_Article_about_Apple_
Patching_OS_X_and_iOS_Vulnerabilities_that_Could_Allow_Remote_Execution_via_Image_Files_
on_ZDNet
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on July 14 Now Available
The CVE Editorial Board held a teleconference meeting on July 14, 2016. Read the meeting
minutes at https://cve.mitre.org/data/board/archives/2016-07/msg00005.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/index.html#august022016_Minutes_from_CVE_Editorial_Board_Tele
conference_Meeting_on_July_14_Now_Available
---------------------------------------------------------------
CVE Mentioned in Article about High Percentage of Vulnerabilities Found Unpatched in
Industrial Control Systems (ICS) on Softpedia
CVE is mentioned in a July 11, 2016 article entitled "92 Percent of Internet-Available
ICS Hosts Have Vulnerabilities" on Softpedia. The main topic of the article is
discussion of a July 2016 report by Kapersky Lab that ".following an Internet-wide scan,
[Kapersky] found 188,019 hosts connected to ICS equipment, in 170 countries around the
globe. Over 170,000 Internet-available ICS devices have vulnerabilities. Of these, 92
percent, or 172,982, contained vulnerabilities that can be exploited to attack, take
over, or even harm devices and their normal mode of operation."
CVE is mentioned when the author states: "According to Kaspersky, most of the vulnerable
devices are located in the US (57,417), followed at a long distance by Germany (26,142),
Spain (11,264), France (10,578), and Canada (5,413). Most of these devices are available
to external connections via the HTTP protocol (116,900), Telnet (29,586), Niagara Fox
(20,622), SNMP (16,752), or Modbux (16,233) . The vulnerability encountered by far in
ICS/SCADA equipment was Sunny WebBox Hard-Coded Credentials (CVE-2015-3964), found in
11,904 devices."
Visit the CVE Identifier page for CVE-2015-3964 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3964 to learn more about this
issue.
LINKS:
Softpedia article -
http://news.softpedia.com/news/92-percent-of-internet-available-ics-hosts-have-vulnerabi
lities-506204.shtml
CVE IDs -
https://cve.mitre.org/cve
CVE News page article -
https://cve.mitre.org/news/index.html#july132016_CVE_Mentioned_in_Article_about_High_Per
centage_of_Vulnerabilities_Found_Unpatched_in_Industrial_Control_Systems_ICS_on_Softpedi
a
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Oracle's Quarterly Critical Patch Update for 276
Vulnerabilities on ADTMag
* CVE Mentioned in Article about Two Critical Windows Printer Spooler Vulnerabilities on
Threatpost
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the cybersecurity community. CVE Numbering Authorities (CNAs) are major OS vendors,
security researchers, and research organizations that assign CVE Identifiers to newly
discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/August 4, 2016
-------------------------------------------------------
Contents:
1. CVE Mentioned in Article about Unpatched Vulnerabilities in Smart Lightbulbs on
ThreatPost
2. CVE Mentioned in Article about Apple Patching OS X and iOS Vulnerabilities that Could
Allow Remote Execution via Image Files on ZDNet
3. Minutes from CVE Editorial Board Teleconference Meeting on July 14 Now Available
4. CVE Mentioned in Article about High Percentage of Vulnerabilities Found Unpatched in
Industrial Control Systems (ICS) on Softpedia
5. Also in this Issue
6. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Mentioned in Article about Unpatched Vulnerabilities in Smart Lightbulbs on
ThreatPost
CVE is mentioned in a July 26, 2016 article entitled "Unpatched Smart Lighting Flaws
Pose IoT Risk to Businesses" on ThreatPost.
The main topic of the article is that several "web-based vulnerabilities in Osram
Lightify smart lighting products remain unpatched, despite private notification to the
vendor in late May and CVEs assigned to the issues in June by CERT/CC. Researchers at
Rapid7 today publicly disclosed some of the details on each of the nine vulnerabilities
with temporary mitigation advice users can deploy until a fix is available."
CVE is mentioned when the author states: "Osram Lightify products are indoor and outdoor
lighting products that can be managed over the web or through a mobile application. The
products are used commercially and in homes, and the vulnerabilities are just the latest
to affect connected devices." ". a weak default WPA2 pre-shared key on the Pro solution
(CVE-2016-5056) is the most critical of the nine flaws. The keys use only eight
characters from a limited set of numerals and letters, making it possible to capture a
WPA2 authentication handshake and crack the PSK offline in fewer than six hours."
In addition, CERT/CC is a CVE Numbering Authority (CNA). CNAs are major OS vendors,
security researchers, and research organizations that assign CVE IDs to newly discovered
issues without directly involving MITRE in the details of the specific vulnerabilities,
and include the CVE ID numbers in the first public disclosure of the vulnerabilities.
Visit the CVE Identifier page for CVE-2016-5056 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5056 to learn more about this
issue.
LINKS:
Threatpost article -
https://threatpost.com/unpatched-smart-lighting-flaws-pose-iot-risk-to-businesses/119479
/
CVE IDs -
https://cve.mitre.org/cve
CNAs -
https://cve.mitre.org/cve/cna.html
CVE News page article -
https://cve.mitre.org/news/index.html#august022016_CVE_Mentioned_in_Article_about_Unpatc
hed_Vulnerabilities_in_Smart_Lightbulbs_on_ThreatPost
---------------------------------------------------------------
CVE Mentioned in Article about Apple Patching OS X and iOS Vulnerabilities that Could
Allow Remote Execution via Image Files on ZDNet
CVE is mentioned in a July 22, 2016 article entitled "iOS, Mac vulnerabilities allow
remote code execution through a single image" on ZDNet. The main topic of the article is
that "Security flaws which affect both Apple iOS and Mac devices permit attackers to
grab your passwords and data, researchers claim. . a set of five vulnerabilities, if
exploited, could lead to data theft and remote code execution -- which in its worst
state may result in device hijacking."
CVE is mentioned when the author states: "The set of bugs, CVE-2016-4631, CVE-2016-4629,
CVE-2016-4630, CVE-2016-1850, and CVE-2016-4637, are all caused by how Apple processes
image formats. Apple offers APIs as interfaces for accessing image data, and . there are
five remote code execution flaws related to this system. The image files which place Mac
and iOS users at risk are .tiff, often used in publishing, OpenEXR, Digital Asset
Exchange file format XML files, and BMP images." "The malware avoids detection due to
the processing weaknesses, and if exploited, this leads to a heap buffer flow issue
which extends to remote code execution."
In addition, Apple is a CVE Numbering Authority (CNA), assigning CVE IDs for Apple
issues. CNAs are major OS vendors, security researchers, and research organizations that
assign CVE IDs to newly discovered issues without directly involving MITRE in the
details of the specific vulnerabilities, and include the CVE ID numbers in the first
public disclosure of the vulnerabilities.
Visit the CVE Identifier pages for CVE-2016-4631 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4631; CVE-2016-4629 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4629; CVE-2016-4630 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4630; CVE-2016-1850 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1850; and CVE-2016-4637 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4637 to learn more about these
issues.
LINKS:
ZDNet article -
http://www.zdnet.com/article/ios-mac-flaw-exposes-your-password-with-one-image-file/
CVE IDs -
https://cve.mitre.org/cve
CNAs -
https://cve.mitre.org/cve/cna.html
CVE News page article -
https://cve.mitre.org/news/index.html#august022016_CVE_Mentioned_in_Article_about_Apple_
Patching_OS_X_and_iOS_Vulnerabilities_that_Could_Allow_Remote_Execution_via_Image_Files_
on_ZDNet
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on July 14 Now Available
The CVE Editorial Board held a teleconference meeting on July 14, 2016. Read the meeting
minutes at https://cve.mitre.org/data/board/archives/2016-07/msg00005.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/index.html#august022016_Minutes_from_CVE_Editorial_Board_Tele
conference_Meeting_on_July_14_Now_Available
---------------------------------------------------------------
CVE Mentioned in Article about High Percentage of Vulnerabilities Found Unpatched in
Industrial Control Systems (ICS) on Softpedia
CVE is mentioned in a July 11, 2016 article entitled "92 Percent of Internet-Available
ICS Hosts Have Vulnerabilities" on Softpedia. The main topic of the article is
discussion of a July 2016 report by Kapersky Lab that ".following an Internet-wide scan,
[Kapersky] found 188,019 hosts connected to ICS equipment, in 170 countries around the
globe. Over 170,000 Internet-available ICS devices have vulnerabilities. Of these, 92
percent, or 172,982, contained vulnerabilities that can be exploited to attack, take
over, or even harm devices and their normal mode of operation."
CVE is mentioned when the author states: "According to Kaspersky, most of the vulnerable
devices are located in the US (57,417), followed at a long distance by Germany (26,142),
Spain (11,264), France (10,578), and Canada (5,413). Most of these devices are available
to external connections via the HTTP protocol (116,900), Telnet (29,586), Niagara Fox
(20,622), SNMP (16,752), or Modbux (16,233) . The vulnerability encountered by far in
ICS/SCADA equipment was Sunny WebBox Hard-Coded Credentials (CVE-2015-3964), found in
11,904 devices."
Visit the CVE Identifier page for CVE-2015-3964 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3964 to learn more about this
issue.
LINKS:
Softpedia article -
http://news.softpedia.com/news/92-percent-of-internet-available-ics-hosts-have-vulnerabi
lities-506204.shtml
CVE IDs -
https://cve.mitre.org/cve
CVE News page article -
https://cve.mitre.org/news/index.html#july132016_CVE_Mentioned_in_Article_about_High_Per
centage_of_Vulnerabilities_Found_Unpatched_in_Industrial_Control_Systems_ICS_on_Softpedi
a
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Oracle's Quarterly Critical Patch Update for 276
Vulnerabilities on ADTMag
* CVE Mentioned in Article about Two Critical Windows Printer Spooler Vulnerabilities on
Threatpost
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Dan Adinolfi, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
Thursday, June 30, 2016
CVE Announce - June 30, 2016 (opt-in newsletter from the CVE Web site)
Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the information security community. CVE Numbering Authorities (CNAs) are major OS
vendors, security researchers, and research organizations that assign CVE Identifiers to
newly discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/June 30, 2016
-------------------------------------------------------
Contents:
1. Two New Organizations Added as CVE Numbering Authorities (CNAs): Hewlett Packard
Enterprise and HP Inc.
2. Minutes from CVE Editorial Board Teleconference Meeting on June 1 Now Available
3. CVE Mentioned in Article about the Android "Godless" Malware on Top Tech News
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Two New Organizations Added as CVE Numbering Authorities (CNAs): Hewlett Packard
Enterprise and HP Inc.
Hewlett Packard Enterprise (HPE) and HP Inc. are now CNAs. HPE is a CNA for HPE issues
only, and HP Inc. is a CNA for HP Inc. issues only. In 2015, Hewlett-Packard Company,
which was formerly a single CNA, split into two separate organizations - Hewlett Packard
Enterprise and HP Inc. - both of which are now participating as CNAs for their own
issues.
CNAs are major OS vendors, security researchers, and research organizations that assign
CVE-IDs to newly discovered issues without directly involving MITRE in the details of
the specific vulnerabilities, and include the CVE-ID numbers in the first public
disclosure of the vulnerabilities.
CNAs are the main method for requesting a CVE-ID number. The following 25 organizations
currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco;
Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; HPE;
IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red
Hat; Silicon Graphics; Symantec; and Ubuntu Linux.
For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering
Authorities page on the CVE website at https://cve.mitre.org/cve/cna.html.
LINKS:
HPE -
https://www.hpe.com/
HP Inc. -
http://www.hp.com/
CNAs -
https://cve.mitre.org/cve/cna.html
CVE-ID numbers -
https://cve.mitre.org/cve/identifiers/index.html#defined
CVE List -
https://cve.mitre.org/cve/
CVE News page articles -
https://cve.mitre.org/news/index.html#june292016_Hewlett_Packard_Enterprise_Added_as_CVE
_Numbering_Authority_CNA
https://cve.mitre.org/news/index.html#june292016_HP_Inc._Added_as_CVE_Numbering_Authorit
y_CNA
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on June 2 Now Available
The CVE Editorial Board held a teleconference meeting on June 2, 2016. Read the meeting
minutes at https://cve.mitre.org/data/board/archives/2016-06/msg00024.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/index.html#june292016_Minutes_from_CVE_Editorial_Board_Teleco
nference_Meeting_on_June_2_Now_Available
---------------------------------------------------------------
CVE Mentioned in Article about the Android "Godless" Malware on Top Tech News
CVE is mentioned in a June 22, 2016 article entitled "New 'Godless' Malware Targets
Android Mobile Devices" on Top Tech News. The main topic of the article is discovery of
the "Godless" family of malware targeting Android mobile devices that uses multiple
exploits to root users' devices and can root 90% of Android phones.
CVE is mentioned in a section of the article entitled "Bypassing Security Checks," when
the author states: "Godless is similar to an exploit kit . [with a framework that] has
various exploits in its arsenal that it can use to root a number of different
Android-based devices. The two most prominent vulnerabilities targeted by the rooting
kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the
Towelroot exploit). By gaining root privilege, Godless can connect to a
command-and-control (C&C) server capable of delivering remote instructions that force
the device to download and install additional apps without the user's knowledge. At
best, a user receives unwanted apps on the phones. At worst, the same technique can be
used to install a backdoor or spy on the user."
In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome,
Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security
researchers, and research organizations that assign CVE-IDs to newly discovered issues
without directly involving MITRE in the details of the specific vulnerabilities, and
include the CVE-ID numbers in the first public disclosure of the vulnerabilities.
Visit the CVE Identifier page for CVE-2015-3636 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3636, and the CVE Identifier
page for CVE-2014-3153 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153,
to learn more about these issues.
LINKS:
Top Tech News article -
http://www.toptechnews.com/article/index.php?story_id=1210046ADYM0
CVE-IDs -
https://cve.mitre.org/cve
CNAs -
https://cve.mitre.org/cve/cna.html
CVE News page article -
https://cve.mitre.org/news/index.html#june292016_CVE_Mentioned_in_Article_about_the_Andr
oid_Godless_Malware_on_Top_Tech_News
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for June on SC Magazine
* CVE Mentioned in Article about a Zero-Day Adobe Flash Vulnerability on SC Magazine
* CVE Mentioned in Article about a Vulnerability in Patient Medical Data Tracking
Software on The Register
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Joe Sain, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the information security community. CVE Numbering Authorities (CNAs) are major OS
vendors, security researchers, and research organizations that assign CVE Identifiers to
newly discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/June 30, 2016
-------------------------------------------------------
Contents:
1. Two New Organizations Added as CVE Numbering Authorities (CNAs): Hewlett Packard
Enterprise and HP Inc.
2. Minutes from CVE Editorial Board Teleconference Meeting on June 1 Now Available
3. CVE Mentioned in Article about the Android "Godless" Malware on Top Tech News
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Two New Organizations Added as CVE Numbering Authorities (CNAs): Hewlett Packard
Enterprise and HP Inc.
Hewlett Packard Enterprise (HPE) and HP Inc. are now CNAs. HPE is a CNA for HPE issues
only, and HP Inc. is a CNA for HP Inc. issues only. In 2015, Hewlett-Packard Company,
which was formerly a single CNA, split into two separate organizations - Hewlett Packard
Enterprise and HP Inc. - both of which are now participating as CNAs for their own
issues.
CNAs are major OS vendors, security researchers, and research organizations that assign
CVE-IDs to newly discovered issues without directly involving MITRE in the details of
the specific vulnerabilities, and include the CVE-ID numbers in the first public
disclosure of the vulnerabilities.
CNAs are the main method for requesting a CVE-ID number. The following 25 organizations
currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco;
Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; HPE;
IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red
Hat; Silicon Graphics; Symantec; and Ubuntu Linux.
For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering
Authorities page on the CVE website at https://cve.mitre.org/cve/cna.html.
LINKS:
HPE -
https://www.hpe.com/
HP Inc. -
http://www.hp.com/
CNAs -
https://cve.mitre.org/cve/cna.html
CVE-ID numbers -
https://cve.mitre.org/cve/identifiers/index.html#defined
CVE List -
https://cve.mitre.org/cve/
CVE News page articles -
https://cve.mitre.org/news/index.html#june292016_Hewlett_Packard_Enterprise_Added_as_CVE
_Numbering_Authority_CNA
https://cve.mitre.org/news/index.html#june292016_HP_Inc._Added_as_CVE_Numbering_Authorit
y_CNA
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on June 2 Now Available
The CVE Editorial Board held a teleconference meeting on June 2, 2016. Read the meeting
minutes at https://cve.mitre.org/data/board/archives/2016-06/msg00024.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/index.html#june292016_Minutes_from_CVE_Editorial_Board_Teleco
nference_Meeting_on_June_2_Now_Available
---------------------------------------------------------------
CVE Mentioned in Article about the Android "Godless" Malware on Top Tech News
CVE is mentioned in a June 22, 2016 article entitled "New 'Godless' Malware Targets
Android Mobile Devices" on Top Tech News. The main topic of the article is discovery of
the "Godless" family of malware targeting Android mobile devices that uses multiple
exploits to root users' devices and can root 90% of Android phones.
CVE is mentioned in a section of the article entitled "Bypassing Security Checks," when
the author states: "Godless is similar to an exploit kit . [with a framework that] has
various exploits in its arsenal that it can use to root a number of different
Android-based devices. The two most prominent vulnerabilities targeted by the rooting
kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the
Towelroot exploit). By gaining root privilege, Godless can connect to a
command-and-control (C&C) server capable of delivering remote instructions that force
the device to download and install additional apps without the user's knowledge. At
best, a user receives unwanted apps on the phones. At worst, the same technique can be
used to install a backdoor or spy on the user."
In addition, Google is a CVE Numbering Authority (CNA), assigning CVE-IDs for Chrome,
Chrome OS, and Android Open Source Project issues. CNAs are major OS vendors, security
researchers, and research organizations that assign CVE-IDs to newly discovered issues
without directly involving MITRE in the details of the specific vulnerabilities, and
include the CVE-ID numbers in the first public disclosure of the vulnerabilities.
Visit the CVE Identifier page for CVE-2015-3636 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3636, and the CVE Identifier
page for CVE-2014-3153 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153,
to learn more about these issues.
LINKS:
Top Tech News article -
http://www.toptechnews.com/article/index.php?story_id=1210046ADYM0
CVE-IDs -
https://cve.mitre.org/cve
CNAs -
https://cve.mitre.org/cve/cna.html
CVE News page article -
https://cve.mitre.org/news/index.html#june292016_CVE_Mentioned_in_Article_about_the_Andr
oid_Godless_Malware_on_Top_Tech_News
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Microsoft's Patch Tuesday Fixes for June on SC Magazine
* CVE Mentioned in Article about a Zero-Day Adobe Flash Vulnerability on SC Magazine
* CVE Mentioned in Article about a Vulnerability in Patient Medical Data Tracking
Software on The Register
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Joe Sain, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
Thursday, May 26, 2016
CVE Announce - May 26, 2016 (opt-in newsletter from the CVE Web site)
Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the information security community. CVE Numbering Authorities (CNAs) are major OS
vendors, security researchers, and research organizations that assign CVE Identifiers to
newly discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/May 26, 2016
-------------------------------------------------------
Contents:
1. Distributed Weakness Filing Project Added as CVE Numbering Authority (CNA)
2. Minutes from CVE Editorial Board Teleconference Meeting on May 5 Now Available
3. CVE Mentioned in Article about a Critical Symantec Vulnerability on SC Magazine
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Distributed Weakness Filing Project Added as CVE Numbering Authority (CNA)
The Distributed Weakness Filing (DWF) Project is now a CVE Numbering Authority (CNA) for
open source software issues. CNAs are major OS vendors, security researchers, and
research organizations that assign CVE-IDs to newly discovered issues without directly
involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID
numbers in the first public disclosure of the vulnerabilities.
CNAs are the main method for requesting a CVE-ID number. The following 24 organizations
currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco;
Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; IBM;
ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat;
Silicon Graphics; Symantec; and Ubuntu Linux.
For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering
Authorities page on the CVE website at https://cve.mitre.org/cve/cna.html.
LINKS:
DWF -
https://github.com/distributedweaknessfiling/DWF-Documentation
CNAs -
https://cve.mitre.org/cve/cna.html
CVE-ID numbers -
https://cve.mitre.org/cve/identifiers/index.html#defined
CVE List -
https://cve.mitre.org/cve/
CVE News page article -
https://cve.mitre.org/news/index.html#may242016_Distributed_Weakness_Filing_Project_Adde
d_as_CVE_Numbering_Authority_CNA
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on May 5 Now Available
The CVE Editorial Board held a teleconference meeting on May 5, 2016. Read the meeting
minutes at http://cve.mitre.org/data/board/archives/2016-05/msg00019.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/index.html#may182016_Minutes_from_CVE_Editorial_Board_Telecon
ference_Meeting_on_May_5_Now_Available
---------------------------------------------------------------
CVE Mentioned in Article about a Critical Symantec Vulnerability on SC Magazine
CVE is mentioned in a May 17, 2016 article entitled "Symantec's anti-virus engine
updated, flaw could cause Blue Screen of Death" on SC Magazine. The main topic of the
article is that Symantec Corporation "released an update to its anti-virus engine (AVE)
to repair a kernel-level flaw making the software susceptible to a memory access
violation when parsing a specifically-crafted portable-executable (PE) header file."
CVE is mentioned when the author states: "Symantec said the critical vulnerability,
CVE-2016-2208, affected Symantec anti-virus engine version 20151.1.0.32. These malformed
PE files do not require any user interaction to trigger the parsing of the malformed
files, but they can be received through email, downloading a document or application or
by visiting a malicious web site."
In addition, Symantec is a CVE Numbering Authority (CNA), assigning CVE-IDs for Symantec
issues. CNAs are major OS vendors, security researchers, and research organizations that
assign CVE-IDs to newly discovered issues without directly involving MITRE in the
details of the specific vulnerabilities, and include the CVE-ID numbers in the first
public disclosure of the vulnerabilities.
Visit the CVE Identifier page for CVE-2016-3714 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2208 to learn more about this
issue.
LINKS:
SC Magazine article -
http://www.scmagazine.com/symantecs-anti-virus-engine-updated-flaw-could-cause-blue-scre
en-of-death/article/496853/
CVE-IDs -
https://cve.mitre.org/cve
CNAs -
https://cve.mitre.org/cve/cna.html
CVE News page article -
https://cve.mitre.org/news/index.html#may182016_CVE_Mentioned_in_Article_about_a_Critica
l_Symantec_Vulnerability_on_SC_Magazine
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Identifier "CVE-2016-4117" Cited in Numerous Security Advisories and News Media
References about a Zero-Day Adobe Flash Vulnerability
* CVE Mentioned in Article about Apple Issuing Numerous Patches for iOS and OS X on
eWeek
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the information security community. CVE Numbering Authorities (CNAs) are major OS
vendors, security researchers, and research organizations that assign CVE Identifiers to
newly discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/May 26, 2016
-------------------------------------------------------
Contents:
1. Distributed Weakness Filing Project Added as CVE Numbering Authority (CNA)
2. Minutes from CVE Editorial Board Teleconference Meeting on May 5 Now Available
3. CVE Mentioned in Article about a Critical Symantec Vulnerability on SC Magazine
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
Distributed Weakness Filing Project Added as CVE Numbering Authority (CNA)
The Distributed Weakness Filing (DWF) Project is now a CVE Numbering Authority (CNA) for
open source software issues. CNAs are major OS vendors, security researchers, and
research organizations that assign CVE-IDs to newly discovered issues without directly
involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID
numbers in the first public disclosure of the vulnerabilities.
CNAs are the main method for requesting a CVE-ID number. The following 24 organizations
currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco;
Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; IBM;
ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat;
Silicon Graphics; Symantec; and Ubuntu Linux.
For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering
Authorities page on the CVE website at https://cve.mitre.org/cve/cna.html.
LINKS:
DWF -
https://github.com/distributedweaknessfiling/DWF-Documentation
CNAs -
https://cve.mitre.org/cve/cna.html
CVE-ID numbers -
https://cve.mitre.org/cve/identifiers/index.html#defined
CVE List -
https://cve.mitre.org/cve/
CVE News page article -
https://cve.mitre.org/news/index.html#may242016_Distributed_Weakness_Filing_Project_Adde
d_as_CVE_Numbering_Authority_CNA
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on May 5 Now Available
The CVE Editorial Board held a teleconference meeting on May 5, 2016. Read the meeting
minutes at http://cve.mitre.org/data/board/archives/2016-05/msg00019.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/index.html#may182016_Minutes_from_CVE_Editorial_Board_Telecon
ference_Meeting_on_May_5_Now_Available
---------------------------------------------------------------
CVE Mentioned in Article about a Critical Symantec Vulnerability on SC Magazine
CVE is mentioned in a May 17, 2016 article entitled "Symantec's anti-virus engine
updated, flaw could cause Blue Screen of Death" on SC Magazine. The main topic of the
article is that Symantec Corporation "released an update to its anti-virus engine (AVE)
to repair a kernel-level flaw making the software susceptible to a memory access
violation when parsing a specifically-crafted portable-executable (PE) header file."
CVE is mentioned when the author states: "Symantec said the critical vulnerability,
CVE-2016-2208, affected Symantec anti-virus engine version 20151.1.0.32. These malformed
PE files do not require any user interaction to trigger the parsing of the malformed
files, but they can be received through email, downloading a document or application or
by visiting a malicious web site."
In addition, Symantec is a CVE Numbering Authority (CNA), assigning CVE-IDs for Symantec
issues. CNAs are major OS vendors, security researchers, and research organizations that
assign CVE-IDs to newly discovered issues without directly involving MITRE in the
details of the specific vulnerabilities, and include the CVE-ID numbers in the first
public disclosure of the vulnerabilities.
Visit the CVE Identifier page for CVE-2016-3714 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2208 to learn more about this
issue.
LINKS:
SC Magazine article -
http://www.scmagazine.com/symantecs-anti-virus-engine-updated-flaw-could-cause-blue-scre
en-of-death/article/496853/
CVE-IDs -
https://cve.mitre.org/cve
CNAs -
https://cve.mitre.org/cve/cna.html
CVE News page article -
https://cve.mitre.org/news/index.html#may182016_CVE_Mentioned_in_Article_about_a_Critica
l_Symantec_Vulnerability_on_SC_Magazine
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Identifier "CVE-2016-4117" Cited in Numerous Security Advisories and News Media
References about a Zero-Day Adobe Flash Vulnerability
* CVE Mentioned in Article about Apple Issuing Numerous Patches for iOS and OS X on
eWeek
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
Wednesday, May 11, 2016
CVE Announce - May 11, 2016 (opt-in newsletter from the CVE Web site)
Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the information security community. CVE Numbering Authorities (CNAs) are major OS
vendors, security researchers, and research organizations that assign CVE Identifiers to
newly discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/May 11, 2016
-------------------------------------------------------
Contents:
1. CVE Program Status Update
2. Minutes from CVE Editorial Board Teleconference Meeting on April 21 Now Available
3. CVE Mentioned in Article about a Zero-Day Vulnerability in ImageMagick's Image
Processing Library on Softpedia
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Program Status Update
We continue to work diligently on expanding CVE assignment in ways that meet the needs
of all the various use cases of CVE. Towards that end, we have begun increasing the
number of organizations participating as CVE Numbering Authorities, or "CNAs" (see
https://cve.mitre.org/news/index.html#april222016_Juniper_Added_as_CVE_Numbering_Authori
ty_CNA).
We are also working closely with the CVE Editorial Board to define additional ways for
CNAs to enable CVE to expand its coverage.
Updates on our progress will continue to be posted to https://cve.mitre.org/ as soon as
they occur.
LINKS:
CNAs -
https://cve.mitre.org/cve/cna.html
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE-IDs -
https://cve.mitre.org/cve
Questions -
cve@mitre.org
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on April 21 Now Available
The CVE Editorial Board held a teleconference meeting on April 21, 2016. Read the
meeting minutes at https://cve.mitre.org/data/board/archives/2016-05/msg00004.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/index.html#may42016_Minutes_from_CVE_Editorial_Board_Teleconf
erence_Meeting_on_April_21_Now_available
---------------------------------------------------------------
CVE Mentioned in Article about a Zero-Day Vulnerability in ImageMagick's Image
Processing Library on Softpedia
CVE is mentioned in a May 3, 2016 article entitled "ImageTragick Exploit Used in Attacks
to Compromise Sites via ImageMagick 0-Day" on Softpedia. The main topic of the article
is the May 3 announcement of "a vulnerability in the ImageMagick image processing
library deployed with countless Web servers, a zero-day which [the researchers who
discovered the issue] say has been used in live attacks."
CVE is mentioned when the author states: "Nicknamed ImageTragick and identified via the
CVE-2016-3714 vulnerability ID, the issue has a massive attack surface, since, alongside
the GD library, ImageMagick is one of the most used image processing toolkits around .
Mitigation instructions are available on ImageTragick's website."
Visit the CVE website page for CVE-2016-3714 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3714 to learn more about this
issue.
LINKS:
Softpedia article -
https://www.us-cert.gov/
CVE-IDs -
https://cve.mitre.org/cve
CVE News page article -
https://cve.mitre.org/news/index.html#may42016_CVE_Mentioned_in_Article_about_a_Zero_Day
_Vulnerability_in_ImageMagicks_Image_Processing_Library_on_Softpedia
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about 40 Android Vulnerabilities on SC Magazine
* CVE Mentioned in Article about Severe Vulnerabilities in Firefox 46 on Threatpost
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
designed to bring recent news about CVE, such as new compatible products, new website
features, CVE in the news, etc. right to your email box. Common Vulnerabilities and
Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is
approved by the CVE Editorial Board, which is comprised of leading representatives from
the information security community. CVE Numbering Authorities (CNAs) are major OS
vendors, security researchers, and research organizations that assign CVE Identifiers to
newly discovered issues without directly involving MITRE in the details of the specific
vulnerabilities, and include the CVE Identifiers in the first public disclosure of the
vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are
at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/May 11, 2016
-------------------------------------------------------
Contents:
1. CVE Program Status Update
2. Minutes from CVE Editorial Board Teleconference Meeting on April 21 Now Available
3. CVE Mentioned in Article about a Zero-Day Vulnerability in ImageMagick's Image
Processing Library on Softpedia
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE Program Status Update
We continue to work diligently on expanding CVE assignment in ways that meet the needs
of all the various use cases of CVE. Towards that end, we have begun increasing the
number of organizations participating as CVE Numbering Authorities, or "CNAs" (see
https://cve.mitre.org/news/index.html#april222016_Juniper_Added_as_CVE_Numbering_Authori
ty_CNA).
We are also working closely with the CVE Editorial Board to define additional ways for
CNAs to enable CVE to expand its coverage.
Updates on our progress will continue to be posted to https://cve.mitre.org/ as soon as
they occur.
LINKS:
CNAs -
https://cve.mitre.org/cve/cna.html
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE-IDs -
https://cve.mitre.org/cve
Questions -
cve@mitre.org
---------------------------------------------------------------
Minutes from CVE Editorial Board Teleconference Meeting on April 21 Now Available
The CVE Editorial Board held a teleconference meeting on April 21, 2016. Read the
meeting minutes at https://cve.mitre.org/data/board/archives/2016-05/msg00004.html.
OTHER LINKS:
CVE Editorial Board -
https://cve.mitre.org/community/board/
CVE News page article -
https://cve.mitre.org/news/index.html#may42016_Minutes_from_CVE_Editorial_Board_Teleconf
erence_Meeting_on_April_21_Now_available
---------------------------------------------------------------
CVE Mentioned in Article about a Zero-Day Vulnerability in ImageMagick's Image
Processing Library on Softpedia
CVE is mentioned in a May 3, 2016 article entitled "ImageTragick Exploit Used in Attacks
to Compromise Sites via ImageMagick 0-Day" on Softpedia. The main topic of the article
is the May 3 announcement of "a vulnerability in the ImageMagick image processing
library deployed with countless Web servers, a zero-day which [the researchers who
discovered the issue] say has been used in live attacks."
CVE is mentioned when the author states: "Nicknamed ImageTragick and identified via the
CVE-2016-3714 vulnerability ID, the issue has a massive attack surface, since, alongside
the GD library, ImageMagick is one of the most used image processing toolkits around .
Mitigation instructions are available on ImageTragick's website."
Visit the CVE website page for CVE-2016-3714 at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3714 to learn more about this
issue.
LINKS:
Softpedia article -
https://www.us-cert.gov/
CVE-IDs -
https://cve.mitre.org/cve
CVE News page article -
https://cve.mitre.org/news/index.html#may42016_CVE_Mentioned_in_Article_about_a_Zero_Day
_Vulnerability_in_ImageMagicks_Image_Processing_Library_on_Softpedia
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about 40 Android Vulnerabilities on SC Magazine
* CVE Mentioned in Article about Severe Vulnerabilities in Firefox 46 on Threatpost
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The
MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical
guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related
to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the
following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the
message to: listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE
CVE-Announce-List".
Copyright 2016, The MITRE Corporation. CVE and the CVE logo are registered trademarks of
The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of
Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications)
at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE website at https://cve.mitre.org or send
an email to cve@mitre.org.
Subscribe to:
Comments (Atom)
